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(54) Method and system for lawful interception of packet switched network services 



(57) A method for lawful interception of packet 
switched network services, comprising the steps of: 

when a user accesses the network and is identified 
by a target-ID at a primary interception point of the 
network, sending the target-ID to an interception 
management center, 

checking at the interception management center 
whether the user is a lawful interception target and 
sending an encrypted interception instruction set to 



a secondary interception point, 

decrypting said interception instruction set at the 
secondary interception point and performing an in- 
terception process in accordance with the intercep- 
tion instruction set, said interception process includ- 
ing the transmission of encrypted interception and 
dummy data to a mediation device, wherein said 
dummy data are added for obscuring true intercep- 
tion traffic between the secondary interception point 
and the mediation device. 
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Description 

BACKGROUND OF THE INVENTION 

1. Field of the invention 

[0001] The invention relates to a method and a sys- 
tem for lawful interception of packet switched network 
services. 

[0002] According to recent legislation in many coun- 
tries, providers of packet switched network services are 
obliged to provide facilities that permit lawful intercep- 
tion of the data traffic over the network. While some 
countries prescribe that all traffic of all users or subscrib- 
ers to the network services shall be monitored, the laws 
of other countries provide that such general monitoring 
is forbidden and interception of traffic to or from users, 
even interception of only the connection data, is permit- 
ted only for specific users or subscribers who qualify, e. 
g. by court order, as lawful interception targets. Of 
course, the service provider has a responsibility to make 
sure that the identities of lawful interception targets are 
kept secret. 

[0003] Accordingly, there is a demand for a method 
and a system for lawful interception of packet switched 
network services that can be implemented and operated 
at relatively low costs and can easily be adapted to dif- 
fering legal provisions and requirements in various 
countries. 

2. Description of the related art 

[0004] A conventional approach is the so-called hard- 
ware monitoring, which means that specialized equip- 
ment necessary for interception purposes is installed at 
a location where the specified lawful interception target 
gets access to the network. This involves high costs and 
has the further drawback that the secrecy requirement 
is difficult to fulfill, because of the potential visibility of 
the hardware to not security-screened staff. Moreover, 
this approach is not practical when the network can be 
accessed from mobile units such as mobile telephones, 
laptop computers and the like, or through public access 
points such as WLAN hot spots or simply by dialing in 
over a PSTN with a modem or via ISDN from a hotel or 
public telephone. 

[0005] Another known approach is the so-called soft- 
ware monitoring, wherein suitable software is imple- 
mented within the internal network of the service provid- 
er for identifying the subscribed users that connect to 
the network and for deciding whether or not the traffic 
to or from these subscribers shall be intercepted. This 
solution involves a certain amount of interception-relat- 
ed traffic within the internal network of the service pro- 
vider, and this traffic may be observable by a relatively 
large number of employees of the service provider, so 
that careful security screening of the personnel is nec- 
essary in some countries. This not only constitutes a 



high cost factor but may also raise intricate legal prob- 
lems in view of employment contracts and the like. 
[0006] The European Telecommunications Stand- 
ards Institute (ETSI) has published specifications for a 
5 lawful interception reference model (ETSI-document ES 
201 671). 

[0007] An Internet document of Baker et aL: "Cisco 
Support for Lawful Intercept in IP Networks", April 2003, 
http://www.rfc-editor.org/internet-drafts/draft-baker- 
10 slem-architecture-00.txt, recommends that intercept 
traffic between an interception point and a mediation de- 
vice is encrypted in order to limit unauthorized personnel 
from knowing lawfully authorized intercepts. 

15 SUMMARY OF THE INVENTION 

[0008] According to the invention, a method for lawful 
interception of packet switched network services, com- 
prises the steps of: 

when a user accesses the network and is identified 
by a target-ID at a primary interception point of the 
network, sending the target-ID to an interception 
management center, 

checking at the interception management center 
whether the user is a lawful interception target and 
sending an encrypted interception instruction set to 
a secondary interception point, 

decrypting said interception instruction set at the 
secondary interception point and performing an in- 
terception process in accordance with the intercep- 
tion instruction set, said interception process includ- 
ing the transmission of encrypted interception and 
dummy data to a mediation device, wherein said 
dummy data are added for obscuring true intercep- 
tion traffic between the secondary interception point 
and the mediation device. 

[0009] A system implementing the method according 
to the invention comprises at least one Packet Switching 
Service Point (PSSP) that includes interception func- 
tionality (e.g. an Internal Intercept Function (II R) as 
specified in the ETSI model) and thereby serves as the 
primary and/or secondary interception point, and a Me- 
diation Device (MD) through which the intercepted data 
and related information are handed over to one or more 
Law Enforcement Agencies (LEAs) who want to receive 
and evaluate the intercepted data. The PSSP may be 
any node in the network where data packets, including 
packets that contain the user-ID of a subscriber to the 
network, can be intercepted. The above-mentioned pri- 
mary and secondary interception points may be formed 
by different PSSPs but are preferably formed by one and 
the same PSSP. The system further comprises an Inter- 
ception Management Center (IMC). This is the place 
where the interception policy is provisioned as request- 
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ed by the law enforcement agencies. The IMC stores 
the identities of lawful interception targets (user-IDs, de- 
vice-IDs, access-line IDs or other means to identify a 
target user with reasonable probability), that are serv- 
iced by the one or more PSSPs that are associated to 5 
this IMC. The IMC may further store information on the 
modes and scopes of interception that are applicable to 
the various targets and non-targets. 
[001 0] As is well known in the art, a user who has sub- 
scribed to the services of a packet switched network 
service provider is uniquely identified by any suitable 
identification that is called "user-ID" and may consist of 
the name of the user or any other suitable identifier such 
as a pseudonym. Alternatively or additionally, a user or, 
more precisely, an interception target may be specified 
by an access line ID such as a telephone number, a 
DSL-Line-ID, an ATM virtual channel or the like. In the 
present application, the term "target-ID" is generic to us- 
er-IDs and access line IDs and device IDs such as the 
MAC-Adress of a network interface card utilized by the 
target user. 

[0011] When a user starts a usage session he gets 
identified by a minimum of one target-ID. Sometimes 
multiple target-IDs are present. The following are com- 
mon target-ID classes: 

1. a User-ID (usually combined with password for 
authentication). This is often summarized as 
"something you know" (or at least are supposed to 
know - the user or a legitimate user may have stored 
the user-ID and the password on the device being 
used, so the current user may not need to know the 
user-ID if he has access to the device with user- 
name and password stored). 

2. a Device-ID of a device that he is using (such as 
a MAC adress of a network interface card, or a mo- 
bile station ID of a mobile handset, or via a Sub- 
scriber Identification Module in a mobile phone). 
This class of target-ID may be summarized as: 
"something you own", and is particularly useful in 
mobile scenarios. An IP-adress such as an IP-Ver- 
sion 6 adress may be considered a device ID in a 
mobile IP scenario when the IP-adress is assigned 
to the device. 

3. an access network resource ID referred to here- 
after as access-line-ID. This is a network interface 
ID of a network element that is not owned by the 
user, rather by the service provider or a business- 
partner of the service provider. An example is a 
DSL-line ID in a DSL access network, or the com- 
bination of an ATM device name, slot-number, port- 
number and ATM virtual Circuit ID. Another exam- 
ple would be an IP-Adress permanently assigned 
to said network interface. This class of target-IDs 
may be summarized as: "something you probably 
utilize in the network" as is the case for example 



with the DSL-Une into the house of a target user. 
This concept is very similar to voice wiretapping in 
fixed networks, which is usually done to the tele- 
phone access line as well and intercepts all com- 
munications over that telephone line, regardless if 
the intended target user speaks or somebody else 
having access to the phone attached to the line. 

[0012] When the user connects to the network with a 
target ID being a user-ID, a logon procedure is per- 
formed in which the user has to authenticate himself by 
indicating his user-ID and, optionally, a password and 
the like. Conventionally, this authentication process has 
the purpose to permit the service provider to check 
whether the user has actually subscribed to the servic- 
es. In case of commercial service providers, the authen- 
tication process is also needed for billing purposes. In 
some cases the user identification or logon procedure 
is performed utilizing a device-ID for identification of the 
device used by the user, without requiring a password, 
for example when providing an IP address granting lim- 
ited access via DHCP based on a MAC address pre- 
sented by the device or by a network interface card be- 
ing part of the device. Such procedure is common when 
providing limited scope access to a user prior to proper 
authentication. In case of fixed line access, there may 
be no special logon procedure, as the user is being con- 
sidered fixed to a certain access line which may have 
been permanently provisioned with a fixed IP address 
for example (similar to the situation in telephony, where 
a telephone line is permanently provisioned with a fixed 
telephone number). In some cases the device may 
present an IP-address such as a fixed IP-Version 6 ad- 
dress that has been assigned to the device. 
[0013] According to the invention, the fact that the us- 
er has to indicate his user-ID or utilize at least one target 
ID when connecting to the network is also utilized for 
interception purposes. To this end, the user ID (and the 
access line ID or device ID, as the case may be) is de- 
tected at the PSSP serving as an interception point. It 
will be clear that, in order to be able to intercept all sub- 
scribers to the network, if required, the PSSPs having 
interception facilities must be strategically located in the 
network so that no subscriber can get access without 
passing at least one interception point. The target-ID is 
sent to the IMC where it is checked against the list of 
lawful interception targets and explicit non-targets. The 
IMC responds to the same PSSP from which the tar- 
get-ID originated - or else to another PSSP - with an 
encrypted message indicating at least whether or not 
the target-ID represents a lawful interception target. The 
response, which is called an interception instruction set, 
may further specify whether the target is identified by its 
user-ID (i. e. interception of traffic to or from this user) 
or by its access line ID (i. e. interception of all traffic over 
this line, irrespective of the identity of the user) or by 
another temporary target-ID that is included in the inter- 
ception instruction set, and may also include additional 
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information. For example, the interception instruction 
set may include a "conditional interception instruction", 
instructing the PSSP to monitor the traffic associated 
with the target-ID and start the interception of the com- 
plete traffic or a portion of the traffic only when a certain 5 
trigger condition occurs, said trigger condition being one 
of: usage of certain network or content resources or us- 
age of a certain catchword, virus signature or bit-pattern 
specified in the interception instruction set. As another 
example, the interception instruction set may specify dif- 10 
ferent interception classes indicating whether all pack- 
ets or only a random selection of packets or only a spec- 
ified subset of packets originating from or sent to the 
target are to be intercepted. The PSSP will then inter- 
cept the data packets in accordance with these instruc- 15 
tions and will send them, again in encrypted form, to the 
mediation device. 

[0014] The PSSP includes both, encryption and de- 
cryption facilities. The IMC includes at least encryption 
facilities for the interception instruction set, and the me- 20 
diation device includes at least decryption facilities. 
[001 5] It is an advantage of the invention that the traf- 
fic between the PSSP and the mediation device and also 
most of the traffic between the PSSP and IMC is en- 
crypted, so that it cannot be understood by an observer 25 
monitoring the traffic (encryption of the target-ID sent to 
the IMC may however be dispensed with). Thus, even 
the service provider's employees, for whom it would 
most likely be possible to monitor the traffic, cannot eas- 
ily discover the identity of the lawful interception target. 30 
From the viewpoint of secrecy requirements, it is a fur- 
ther advantage that it is not necessary to implement the 
functionality of the IMC at each individual PSSP. The 
IMC and the mediation device may be located remote 
from the PSSP(s) and may thus be centralized, so that 35 
considerable cost savings can be achieved without vio- 
lating secrecy requirements. Further, since no informa- 
tion on the identity of the lawful interception targets is 
permanently present at the individual PSSPs, and, if 
present, is stored in encrypted form or in an encrypted *o 
file, the personnel having access only to the PSSPs will 
not be able to identify the interception targets or deter- 
mine if a true interception target is accessing that par- 
ticular PSSP. The identity of the interception targets will 
only be known to a very limited number of employees, 45 
if any, who have access to the information stored in the 
single IMC or relatively few centralized IMCs, or have 
special operator privileges not available to non-security 
screened staff. It is understood that only a few staff 
members of the service provider, if any, have access to 50 
a secured area or locked room where the IMC may be 
located as well as the Mediation Device. 
[0016] According to another important feature of the 
invention the security and secrecy is further enhanced 
by obscuring even the fact that interception-related traf- 55 
fic occurs between the PSSP and the mediation device. 
To this end, the interception instruction set sent from the 
IMC to the PSSP may specify that even in those cases 



in which the user is not to be intercepted or is not even 
a lawful interception target at all, dummy data traffic is 
created between the PSSP and the mediation device, 
so that an unauthorized observer who may monitor the 
encrypted data traffic cannot decide whether the traffic 
he sees is only dummy traffic or a hint to an actual in- 
terception process. 

[0017] This enables the service provider to outsource 
the operation of the IMC and/or the mediation device to 
a third party company, which may handle all interception 
warrants presented from law enforcement agencies on 
the service-provider's behalf, without any employee of 
the service provider knowing about the details of a war- 
rant. 

[0018] The dummy interception traffic may be trig- 
gered by real packet arrival events at the PSSP or, al- 
ternatively, by random events or any other events, such 
as timer expiry. However, the dummy traffic shall not 
contain any subscriber data. In case that real subscriber 
traffic was used as triggering event for the dummy traffic, 
the contents are scrambled and made useless, so that 
the receiver or an observer cannot gather any useful in- 
formation on the actual subscriber traffic. Thus, in spite 
of the dummy traffic, the privacy of the subscriber will 
be protected in case that the subscriber is not a lawful 
interception target. 

[0019] Optionally, the invention may further include 
one or more of the following features: 

Sending re-classification messages from the IMC 
to the PSSP in order to reclassify an already active 
user to a different interception mode when, for ex- 
ample, a new interception warrant has to be imple- 
mented for an already active user, a warrant for an 
active user shall be terminated when the duration 
of the warrant has expired, a warrant for an active 
user is being withdrawn prior to expiration, or when 
the scope of a warrant for an active user is being 
changed necessitating a reclassification, e.g. from 
partial to full interception, or from no-interception to 
dummy-interception, or from dummy interception to 
no-interception. 

Hiding the information about the user interception 
class associated with an active user from not secu- 
rity screened operations staff of the service provid- 
er, by implementing special operator command 
privileges at the PSSP, in order to prohibit non-in- 
tercept-privileged operators from being able to suc- 
cessfully execute commands that show the user in- 
terception class of an active user, and/or by storing 
the user interception class in encrypted form on the 
network elements, where the decryption key is not 
available to operators without intercept-privilege. 

Discarding the dummy data directly after receipt at 
the mediation device, or alternatively using these 
dummy data for obscuring handover traffic from the 
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Fig. 10 illustrates a method of combining intercept 
traffic with dummy traffic. 

DETAILED DESCRIPTION OF THE PREFERRED 
5 EMBODIMENTS 



mediation device to the law enforcement agency. 

- . Statically or dynamically determining at the IMC the 
relation between real interception traffic and dummy 
traffic considering both the cost of the dummy traffic 
as well as the security requirements under the cir- 
cumstances, where the applied mix of user inter- 
cept classes may depend on the regulatory require- 
ments mandated by authorities, the time of day, the 
amount of simultaneously active users at a specific 
interception point (PSSP), the current traffic load, 
the theoretical peak-bandwidth required for inter- 
ception traffic of real targets from a specific inter- 
ception point, risk classification levels associated 
with the operational model applied, and general risk 
levels prevailing over a period of time in a specific 
country as declared by governmental authorities. 

[0020] In another embodiment of the invention a con- 
stant (or varying) amount of "camouflage" traffic is cre- 
ated and sent at ail times (even if no real interception is 
taking place). This camouflage traffic is composed of 
true intercept traffic and dummy data at a ratio that de- 
pends on the demand for true intercept traffic, so that 
the true intercept traffic will always be hidden in the 
amount of camouflage traffic. The camouflage packets 
may have a fixed size or variable sizes that are unrelated 
to packet sizes used by a particular subscriber. The vol- 
ume of the camouflage traffic will be at least as high as 
the maximum theoretical or practical volume of real in- 
terception traffic plus any overhead to encrypt and en- 
capsulate it into the stream of fixed-length camouflage 
traffic packets. This would make it impossible for an ob- 
server performing traffic analysis to determine if a real 
interception is taking place, and it would make it totally 
impossible to determine the fact of lawful interception 
taking place, even when sending the internal lawful in- 
terception traffic to the MD over insecure public net- 
works like the Internet. It would also make it impossible 
even for a malicious member of the operations staff 
(without interception operator command privileges) 
which is cooperating with a target, to test if a particular 
user is currently a target. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0021] Preferred embodiments of the invention will 
now be described in conjunction with the drawings, in 
which: 

Fig. 1 is a diagram illustrating a system according 
to one embodiment of the invention; 

Fig. 2 and 3are diagrams illustrating two examples 
of the method according to the invention; 

Figs. 4 to 9 are diagrams showing a modified em- 
bodiments of the system; and 



[0022] As is shown in figure 1 , a packet switched net- 
work services provider, an Internet Service Provider 
(ISP) in this example, has responsibility for a certain 

10 number of facilities allowing a number of end users 10 
to get access to the network, i.e. the Internet 12. These 
facilities are interconnected by an internal network 14 of 
the ISP and comprise a number of Packet Switching 
Service Points (PSSP) 16, i.e. switching nodes, that are 

15 each equipped with an Internal Interception Function 
(IIF) 18. 

[0023] In the example shown, the PSSPs 16 equipped 
with the IIFs 18 are situated at the subscriber edge of 
the network 14, i.e. the place where the end users 10 

20 connect to the internal network 14 and hence to the In- 
ternet 12 via any suitable access network 20 such as a 
Public Switched Telephone Network (PSTN), an inte- 
grated Services Digital Network (ISDN), a Digital Sub- 
scriber Line (DSL) access network, a mobile telephone 

25 network (2G like GSM, 2.5G like GPRS or 3G like 
UMTS), a WLAN access network, an Ethernet access 
network or a Cable Modem access network (CM) or a 
combination of the same. However, the PSSPs may also 
be located at any other node within the internal network 

30 14, as long as it is assured that the target data traffic of 
interest to and from the end users 10 will pass at least 
one of the PSSPs equipped with an IIF 18. As an exam- 
ple, a PSSP may be a "Shasta 5000 BSN" (trademark) 
available from Nortel Networks Limited (BSN stands for 

35 Broadband Services Node). Through the internal net- 
work 14, the PSSPs are connected to at least one au- 
thentication server, in this example aJ'Remote Authen- 
tication Dial-In User Service" (RADIUS) server 22, co- 
operating with a Personal User Data Base (PUD) 24 

40 which stores the user data of the subscribers (the RA- 
DIUS protocol is described in RFC 2865, entitled "Re- 
mote Authentication Dial-In User Service (RADIUS)", 
and in RFC 2866 entitled "RADIUS Accounting", both 
published by the Internet Engineering Task Force organ- 

45 ization (IETF) in June 2000). 

[0024] When an end user 1 0 connects to the services 
of the ISP, he will authenticate himself by a suitable us- 
er-ID by which the specific user is uniquely identified. 
The PSSP 1 6 forwards the user-ID to the RADIUS serv- 

50 er 22, thereby triggering an authentication procedure in 
which the user-ID is checked against the personal user 
data base 24 to see whether the user is authorized to 
the services of the ISP. When the authentication proce- 
dure is successful, a user session for this specific user 

55 starts, and the user may be recorded in the personal 
user data base 24 as an active user. When the user logs 
off or gets disconnected from the PSSP, the user may 
again be stored as an inactive user. The messages in- 



5 



9 



EP 1 484 892 A2 



10 



dicating the start and the end of a user session will be 
stored and processed for billing purposes if the user has 
not subscribed to a flat rate. 

[0025] The internal network 14 further comprises at 
least one Mediation Point (MP) 26 which serves as an 5 
interface between the internal network 14 of the ISP and 
a Law Enforcement Agency (LEA) 28 that is authorized 
to intercept the traffic of either all users or of a number 
of specified users that qualify as lawful interception tar- 
gets. The identities of the lawful interception targets are 10 
stored at the mediation point 26, preferably together with 
more detailed information on the mode and scope of in- 
terception that is allowed and desired for each individual 
target. The mediation point 26 is connected to the facil- 
ities of the law enforcement agency 28 through a safe 15 
communication channel 30 which may be used for send- 
ing the intercepted data to the LEA 28 and also for load- 
ing the information specifying the interception targets in- 
to the mediation point 26. 

[0026] Through the internal network 14, the mediation 20 
point 26 is connected to the interception function 18 of 
at least one, preferably a plurality of PSSPs 16, as is 
symbolized by broad, contoured connection links 32 in 
figure 1. The contoured representation of the links 32 
indicates that traffic on these links occurs only in en- 25 
crypted form. 

[0027] When an end user 1 0 has logged on by the pro- 
cedure described above, the user-ID that is sent to the 
RADIUS server 22 is also supplied to the internal inter- 
ception function 1 8 of the pertinent PSSP 16. Triggered 30 
by this event, the UF 18 creates an encrypted intercep- 
tion instruction request, including the encrypted user-ID, 
and sends the same via link 32 to the mediation point 
26. Here, it is checked whether the user who has logged 
on is a lawful interception target, and an encrypted re- 35 
sponse is sent back to the IIF 18 through the link 32. 
This encrypted response message indicates whether or 
not the user is to be intercepted and in which way this 
is to be done. In accordance with the instructions con- 
tained in this encrypted response, the IIF 18 will inter- 40 
cept some or all of the traffic from or to the end user 10 
and will send the intercepted data and/or intercept re- 
lated information, again in encrypted form, to the medi- 
ation point 26 from where they are forwarded to the law 
enforcement agency 28 through the safe channel 30. As 45 
an alternative, the intercepted and encrypted data may 
be sent directly to the law enforcement agency 28 
through encrypted channels 34, as has been indicated 
in phantom lines in figure 1. 

[0028] An example of such an interception procedure 50 
will now be described by reference to figure 2. In step 
S1, a user 10 logs on to the services provided by the 
ISP and is identified by a target-ID, a user-ID in the 
present example. In step S2, the PSSP 16 through 
which the user has connected to the network, or more 55 
precisely the IIF 1 8 thereof, sends the encrypted user-ID 
to the mediation point 26. In step S3, the mediation point 
26 returns an encrypted lawful interception instruction 



set to the PSSP 1 6. This instruction set includes at least 
the information that the user shall be intercepted or shall 
not be intercepted. Instructions may further specify oth- 
er intercept related information, for example, that only 
access-connection data (e.g. time and duration of the 
user's online-usage session) or only certain end to end 
connection data (e.g. URLs of websites visited, or IP ad- 
dresses of Voice over IP communication partners) but 
not the contents of the communications itself shall be 
intercepted. Another instruction may specify that all traf- 
fic (connection data and/or contents) to and from the us- 
er shall be intercepted or only messages sent from the 
user to another destination or only messages sent from 
other sources and received by the user. Yet another in- 
struction may specify that all data packets or only a sub- 
set of the transmitted data packets (e.g. a random se- 
lection) shall be intercepted or that interception of all fol- 
lowing data packets shall be triggered by specific data 
packets that represent specific catch words that are re- 
lated to unlawful activities. Yet another instruction may 
specify that interception is restricted to traffic to or from 
specific sites or classes of sites, e.g. web servers locat- 
ed in a specific country, or to specific protocols or flows 
such as SIP traffic and RTP traffic which are utilized to 
signal and carry voice over IP or multimedia communi- 
cations. 

[0029] The internal interception function 18 will then 
perform the interception procedure in accordance with 
these instructions. In step S4, the user connects to a 
web site in the Internet 12, typically by entering a Uni- 
versal Resource Locator (URL) of the desired web site. 
Then, in step S5, the connection data, i.e. the URL, will 
be sent in encrypted form to the mediation point 26. 
[0030] If the instruction set specifies that contents 
shall also be intercepted, the data packages represent- 
ing the contents of the selected web page and being 
sent to the user 10 will also be intercepted and will be 
sent in encrypted form to the mediation point 26 or to 
the LEA 28 in step S6. 

[0031] As another example, the steps S4-S6 may also 
consist of the user 10 sending an e-mail to a specific e- 
mail address. Then, the encrypted e-mail address will 
be transmitted in step S5 and the encrypted contents of 
the e-mail will be transmitted in step S6. Conversely, if 
step S4 consists of the user retrieving an e-mail from his 
mail box, steps S5 and S6 will consist of encrypting and 
transmitting the origin and the contents of the e-mail. If 
the mail box of the pertinent user is provided by a foreign 
ISP in another country, this mail box may also be guard- 
ed by a PSSP having an internal interception function 
18 and located at a border gateway, so that the e-mail 
addressed to the specific user may be intercepted al- 
ready when it is sent to the mail box. 
[0032] In step S7, the user logs off or disconnects 
from the internal network 14 of the ISP. This triggers an 
encrypted log off message being sent to the mediation 
point 26 in step S8. 

[0033] It will be understood that, because all the traffic 
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between the PSSP 16 and the mediation point 26 is en- 
crypted, this traffic can only be understood by the perti- 
nent equipment and not by any individuals monitoring 
the traffic on the channel 32, not even by the personnel 
of the ISP itself, except the very restricted number of 
employees having access to the mediation point 26. 
Thus, secrecy of the interception-related information 
can be assured with high reliability. Since all relevant 
interception-related instructions are stored centrally in 
the mediation point, the system can easily be managed 
at low costs. The hardware and software components 
of the internal interception functions 1 8 to be implement- 
ed in the individual PSSPs 16 are the same for all 
PSSPs. 

[0034] Figure 3 illustrates the method that is em- 
ployed in cases where the user who has logged on in 
step S1 is not to be intercepted at all. In this case, the 
response to the request S2 in step S3' consists of a dum- 
my traffic command specifying that the user is not to be 
intercepted but dummy traffic shall be generated on the 
encrypted link 32 in order to disguise the fact that this 
user is not being intercepted. This will make it difficult 
for a person monitoring the traffic on the link 32 to draw 
any conclusions as to the identity of lawful interception 
targets from the traffic occurring on this link. 
[0035] The dummy traffic may be generated by the in- 
terception function of the PSSP 1 6 at random. In the em- 
bodiment shown in figure 3, however, this traffic is also 
triggered by the events S4 and S7 and by the occur- 
rence of data packets to or from the user at the PSSP 
1 6. Thus, when the user has connected to a web site in 
step S4, this event triggers encrypted dummy traffic in 
step S5\ The contents of this traffic will however be 
senseless or scrambled and in any case anonymized, 
so that the law enforcement agency or an observer can- 
not gain any knowledge on the actual event S4. It may 
be discarded at the mediation point directly upon re- 
ceipt. Thus, this kind of traffic will be allowed even in 
cases where interception of the pertinent user is legally 
forbidden. Similarly, any packet events at the PSSP 16 
will trigger encrypted dummy traffic in step S6* in order 
to mock the interception of contents. Of course, such 
dummy traffic may also be generated in case of figure 
3 if the lawful interception instruction set specifies inter- 
cept related information, e.g. that only connection data 
but no contents are to be intercepted. Further, the dum- 
my traffic command sent in step S3' may itself include 
senseless "dummy" data in order to make the length of 
this command resemble the length of a true interception 
instruction set. 

[0036] When, in figure 3, the user has logged off in 
step S7, this triggers an encrypted dummy termination 
command in step S8' mocking the step S8 in figure 2. 
Since, however, the identity of the user is not known to 
the LEA 28 or to an observer, no meaningful information 
can be gathered from the step S8', neither. 
[0037] Although the system is capable of real time in- 
terception, it may be advantageous to send the messag- 



es in steps S5, S5' and S8, S8' with a random time delay, 
so that the user may not be identified through coinci- 
dence of events S4 and S5 or S7 and S8. The exact 
time of the events S4 and S7 may be included in the 
5 encrypted messages in the form of a time stamp, if the 
user is a lawful target. 

[0038] Comparing figures 2 and 3, it can be seen that, 
unless the encryption code is cracked, the pattern of 
traffic on the link 32 for users that are actually being in- 
tercepted is indistinguishable from the pattern for users 
that are not intercepted. 

[0039] Since all the traffic on the link 32 is encrypted, 
the mediation point 26 may even be located outside of 
the internal network 14 of the service provider. This has 
been exemplified in figure 4, where the mediation point 
26 is located within the facilities of the law enforcement 
agency 28. In some countries, it may however be re- 
quired that the service provider has control over the me- 
diation point 26. In other countries, it may be required 
that the mediation point is located in the domain of the 
Law Enforcement Agency, in yet other countries it may 
be mandated or at least possible that the mediation point, 
is being operated by a third party that is especially cer- 
tified by governmental authorities. 
[0040] The mediation point 26 may store the tar- 
get-IDs of all active users together with an identification 
of a minimum of one PSSP used for accessing the net- 
work, and an identifier used to identify the usage session 
within that PSSP, so that the interception of a new target 
may be provisioned by sending an appropriate intercep- 
tion instruction set even when the user is already active. 
Likewise, the interception may be terminated or the in- 
terception instruction set may be changed while the user 
remains active. 

[0041] Figure 4 further shows an example of a PSSP 
16' for which the interception function (IF) 18 is not in- 
ternal to the PSSP but is implemented in a device out- 
side of the PSSP and connected thereto by a suitable 
interface. 

[0042] As is shown in figure 5, the function of the me- 
diation point 26 can be subdivided into two main function 
blocks which are called Intercept Management Center 
(IMC) 36 and Mediation Device (MD) 38. The IMC 36 is 
the function that receives the user ID or, more generally, 
the target-ID form the IIF 18 and returns the interception 
instruction set IIS. The MD 38 is the entity that receives 
the encrypted intercept data and/or dummy data from 
the IIF 18 and implements the handover interface to a 
Monitoring Center (MC) 40 in the law enforcement agen- 
cy 28. If the line 30 connecting the MD 38 to the MC 28 
is not considered to be safe enough, the data handed 
over to the Monitoring center 40 may still include the 
dummy data generated by the IIF 18. 
[0043] Figure 6 shows a modified embodiment, in 
which the interception management center 36 and the 
mediation device 38 are not integrated into a common 
device (such as the mediation point 26 in figure 5) but 
are embodied as separate physical entities. In this case 
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the PSSP 16, the IMC 36, the MD 38 and the MC 40 
might be operated by two, three or even four different 
legal entities. 

[0044] According to a modification which has not been 
shown, the mediation device (MD) 38 might as well be 
combined with the monitoring center (MC) 40 in the LEA 
28. 

[0045] Figures 7 to 9 show different arrangements of 
the interception management center (IMC) 36 in relation 
to the RADIUS Server 22 and the PSSP 16. In figure 7 
the IMC 36 acts as a "proxy RADIUS server". This 
means that the IMC appears as a RADIUS server to- 
ward the PSSP 16 which acts as a RADIUS client, and 
at the same time the IMC acts as a RADIUS client to- 
wards the RADIUS server 22. The traffic between these 
three entities is governed by the RADIUS protocol. 
[0046] In figure 8, so function of the IMC has been 
incorporated in the RADIUS server 22. In figure 9, the 
line interconnecting the RADIUS server 22 and the 
PSSP 16 includes a tapping device 42 which is capable 
of intercepting and manipulating RADIUS messages. 
RADIUS response messages from the RADIUS server 
22 towards the PSSP 1 6 are manipulated by the tapping 
device 42 either by manipulating an interception instruc- 
tion set that is already present in the RADIUS message 
or by inserting a new interception instruction set under 
the control of the IMC 36. Tapping device 42 may for 
example be formed by a web switch "ALTEON" (trade- 
mark) supplied by Nortel Networks Limited. 
[0047] Figure 10 illustrates another embodiment of 
the method for obscuring the traffic between the IIF 18 
and the mediation device (MD) 38 and possibly also be- 
tween the MD 38 and the MC 40. Here, the traffic con- 
sists of a continuous stream of encrypted "camouflage" 
packets 44 of a fixed size that are constantly transmitted 
from the interception point (PSSP) to the mediation de- 
vice, regardless of whether or not or how much true in- 
terception traffic is generated by PSSP If there is no in- 
terception traffic at all, the camouflage packets 44 con- 
sist only of dummy data. Conversely, if the volume of 
true interception traffic reaches the capacity limits of the 
continuous stream of the camouflage packets 44, these 
packets are almost completely filled up with intercepted 
data. 

[0048] The top line in figure 1 0 illustrates an intercept- 
ed data packet that has to be transmitted to the media- 
tion device 38 and, in the example shown, has a length 
greater than the transport capacity of a single camou- 
flage packet 44. Then, the contents of the intercepted 
packet 48 are distributed over a sufficient number of 
camouflage packets 44 (two in the given example), as 
is shown in the second line in figure 10. This line shows . 
the format of transport packets. 50, 52 and 54 that are 
to be converted into the camouflage packets 44 through 
encryption. Each transport packet includes a minimum 
of one fragment-header, which contains at least a sig- 
nificance bit 56. If this bit is set to "0", then the remainder 
of the transport packet contains only dummy traffic (64, 



66). If this bit is set to "1 the fragment header also con- 
tains, an interception ID 57, which identifides the current 
user-session of the target, a length field 58 and a "more" 
bit 60. The header - if significant - is followed by a frag- 
5 ment load section 62, which in case of the fragment load 
62 that is contained in transport packet 50 is identical to 
the maximum load section of the transport packet and 
thus to the maximum transport capacity of a single cam- 
ouflage packet. In case of the transport packet 50, the 

70 fragment load section 62 is filled to its full capacity with 
a first fraction 48a of the intercepted packet 48. The sig- 
nificance bit 56 indicates that the contents of the frag- 
ment load section 62 are significant, i. e. represent true 
intercepted data. The "more" bit 60 indicates that frag- 

15 mentation has occurred and that the subsequent frag- 
ment load section 62 includes only a fragment of the in- 
tercepted packet 48 which will be continued in the next 
transport packet 52. If the intercepted packets and/or an 
initial fragment of a packet 48 are relatively short, it is 

20 possible that two or more intercepted packets are in- 
cluded in multiple fragment load sections 62 contained 
in a single transport packet. Then each data packet_or 
fragment has its own fragment header, as a single frag- 
ment load section 62_can also carry a full packet if it is 

25 sufficiently short. The length field 58 of the fragment 
header indicates the length of the corresponding frag- 
ment load section 62. 

[0049] In the transport packet 50, the significance bit 
56 is "1", because the fragmentjoad section 62 carries 
30 the first fragment of the intercepted packet 48, and the 
"more" bit 60 is also "1", because another fragment 48b 
of the packet 48 will be included in the next transport 
packet 52. 

[0050] In case of the transport packet 52, the signifi- 
35 cance bit 56 is "1", but a "more" bit 63 is "0", because 
this transport packet will include all the rest of the current 
intercepted packet 48. The fragment load section 62 of 
packet 52 includes the last fragment 48b of the inter- 
cepted packet 48, and the length of this fragment is in- 
40 dicated in a length field 61 . Each fragment-load section 
is immediately followed by a next fragment header, if the 
fragment has not filled the transport capacity complete- 
ly. In case of packet 52, another fragment header follows 
which consists only of the significance bit 56 (set to "0"), 
45 which means that the remainder of the transport packet 
is insignificant and carries only meaningless dummy da- 
ta 64. However, multiple fragment sections 62 could 
have followed instead of dummy data 64, carrying short 
full packets and the last fragment section could have 
50 carried an initial fragment of a larger packet not fully fit- 
ting within the remainder of the transport packet 52. 
[0051] Since, in the present example, no further inter- 
cepted packet needs to be transmitted, the next trans- 
port packet 54 has a header consisting only of the sig- 
55 nificance bit 56 with the value "0" which is consequently 
followed by an insignificant fragment section 66 in this 
case. 

[0052] After the transport packets 50, 52, 54 have 



35 



40 



45 



50 



8 



15 



EP 1 484 892 A2 



16 



been encrypted to form the camouflage packets 44, it is 
impossible for an observer doing traffic analysis to de- 
cide whether or not true interception traffic occurs. 
[0053] The length and/or the transmission frequency 
of the camouflage packets 44 may be varied in accord- 5 
ance with the overall traffic load on the network, in order 
to make sure that there will always be a sufficient trans- 
port capacity for the true interception traffic. 
[0054] In a modified embodiment, in order to allow for 
variable length camouflage packets 44, the first signifi- 
cance bit in a camouflage packet may be replaced by a 
significance field, which comprises the significance bit 
followed by the total length_of the transport packet (also 
implicitly defining the length of the camouflage packet 
44, as depending on the encryption algorithm used, the 
lengths of the transport packet and of the camouflage 
packet would normally be the same). 

Claims 

1. A method for lawful interception of packet switched 
network services, comprising the steps of: 



2. The method of claim 1 , wherein said secondary in- 
terception point is identical to said primary intercep- 
tion point. 

3. The method of claim 1 , wherein the dummy data are 
generated at random. 



5. The method of claim 1 , comprising a step of sending 
a continuous stream of camouflage packets from 
the secondary interception point to the mediation 
device, said camouflage packets, including inter- 
cepted data in accordance with the demand and be- 
ing filled up with dummy data to their full length. 

6. The method of claim 1 , wherein the interception in- 
struction set includes a "conditional interception in- 
struction", instructing the PSSP to send intercept re- 
lated information or to monitor the traffic associated 
with the target-ID and start the interception of the 
complete traffic or a portion of the traffic only when 
a certain trigger condition occurs, said trigger con- 
dition being one of: 

usage of certain network or content resources 
or usage of a certain catchword, virus signature 
or bit-pattern specified in the interception in- 
struction set. 

7. A system for carrying out the method as claimed in 
claim 1, comprising: 

at least one interception point formed by a node 
in the network, 

an interception management center, and 

a mediation device serving as an interface be- 
tween the network and a law enforcement 
agency for which interception services are pro- 
visioned, 

wherein said at least one interception 
point is adapted to send a target-ID of a user 
accessing the network to said interception 
management center, 

the interception management center is adapted 
to send to at least one of said interception 
points an encrypted interception instruction set 
to be decrypted at the interception point and en- 
abling the same to perform an interception 
process in the course of which intercepted data 
are encrypted and sent to said mediation de- 
vice, and 

the at least one interception point is further 
adapted to generate dummy data and to en- 
crypt and send either the intercepted data or 
the dummy data or a combination of these, 
such that the occurrence of intercepted data is 
obscured. 

8. The system of claim 7, wherein the at least one in- 
terception point is formed by a node of the network 
that is situated at a subscriber edge of the network, 
where end users connect to the network. 



4. The method of claim 1 , wherein the dummy data are 

based on actual traffic to or from the pertinent user, 55 
but this traffic is scrambled such that, even after de- 
cryption, the contents thereof may not be recon- 
structed at the mediation device. 



15 



when a user accesses the network and is iden- 25 
tified by a target-ID at a primary interception 
point of the network, sending the target-ID to 
an interception management center, 

checking at the interception management cent- 30 
er whether the user is a lawful interception tar- 
get and sending an encrypted interception in- 
struction set to a secondary interception point, 

decrypting said interception instruction set at 35 
the secondary interception point and perform- 
ing an interception process in accordance with 
the interception instruction set, said intercep- 
tion process including the transmission of en- 
crypted interception and dummy data to a me- <o 
diation device, 

wherein said dummy data are added for obscuring 
true interception traffic between the secondary in- 
terception point and the mediation device. 45 



9 



17 



EP 1 484 892 A2 



9. The system of claim 7, wherein the interception 
point is a switch adapted to connect end users to 
an IP or Ethernet network. 

10. The system of claim 8, wherein the interception 5 
point is a switch adapted to connect end users to 

an IP or Ethernet network. 

11. The system of claim 7, comprising a plurality of in- 
terception points connected to the same intercep- 10 
tion management center. 

12. The system of claim 7, wherein said interception 
management center contains means for communi- 
cating with said PSSP according to the RADIUS *5 
protocol, and means for intercepting RADIUS mes- 
sages either directly or using a tapping device (42) 

in a way that is transparent to a RADIUS server. 

13. The system of claim 7, wherein said interception 20 
management center contains means for communi- 
cating with said PSSP according to the RADIUS 
protocol, and means for acting as RADIUS proxy 
server towards the client PSSP and a RADIUS serv- 
er. 25 

14. The system of claim 7, wherein said interception 
management center is combined with a RADIUS 
server. 
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